I'm puzzled...practically at a loss for words. The cause? The fact that yet again, Microsoft finds and patches a vulnerability before an exploit is widely available, and still, hundreds of thousands of computers are infected. This is inexcusable.
Home users get somewhat of a break, if only because many of them are simply ignorant of good security practices (rule #1, use NAT, or a firewall to close any unused ports). Yes, they should be patching their computers, but too often they don't. But the really amazing thing is the number of businesses or government agencies getting hit hard. The DMV in Maryland shut down yesterday because of this worm. I want to know who's responsible for network security at the DMV, and I want them fired...NOW! I'm glad I don't live in Maryland (though I suspect my state may not be much better), given that this worm could potentially have been designed to lift information from computers, rather than just stage a DDOS attack.
What's the point of this rant? Just this...we, the more computer savvy of society, have a responsibility to do what we can to prevent crap like this. The reality is that software is never going to be perfect, as long as humans are writing it. And Microsoft is in a bind because consumers would freak if Microsoft shipped their OS with firewall and automatic updates enabled. So, IMO, it is encumbent on us to educate our less computer-savvy friends, relative, and even those we work with (bosses, co-workers, and even clients) about the importance of firewalls, patching, and other important security practices. We can make a difference, if we make the effort.
OTOH, perhaps a better idea would be to institute a system of fines in which each time your computer is infected with a worm or other malware that can cause problems for others, you're fined $50. Perhaps a hit in the pocketbook would make people more aware of taking the necessary steps to secure their machines.
Keith Warren even suggested the idea of writing worms to “vaccinate” vulnerable machines:
It all makes me wonder why we have not evolved in this fight much in a way that the medical field does. I am talking about vaccination. Vaccines in large part work by giving a small dose of the problem and I do not understand why we do not take that little tidbit and run with it. After knowledge of the vulnerability was available someone could have created a worm vaccine that replicated and propagated itself in an identical fashion but had an actual purpose; to download and install the patch! Doing this coupled with a patch campaign would significantly reduce the attack surface.
It's a clever idea, but obviously one that won't fly legally. Any other ideas for preventing worm/virus propagation and getting users/managers/admins to take security seriously? I'd love to hear them.